CORS with client https certificates

前端 未结 2 1599
无人共我
无人共我 2021-02-15 01:42

I have a site with two https servers. One (frontend) serves up a UI made of static pages. The other (backend) serves up a microservice. Both of them happen to be using the sa

相关标签:
2条回答
  • 2021-02-15 02:21

    When using CORS with credentials (basic auth, cookies, client certificate, etc.):

    • Access-Control-Allow-Credentials must be true
    • Access-Control-Allow-Origin must not be *
    • Access-Control-Allow-Origin must not be multi-value (neither duplicated nor comma-delimited)
    • Access-Control-Allow-Origin must be set to exactly the value from the request's Origin header in order for the request to work (either hard-coded that way or if it passes a whitelist of allowed values)
    • The preflight OPTIONS request must not require credentials (including the client certificate). Part of the purpose of the preflight is to ask what is allowed in a CORS request, and therefore sending credentials before knowing if they are allowed is incorrect.
    • The preflight OPTIONS request must return a 200-level response, generally 204

    Note: For Access-Control-Allow-Origin, you may want to consider allowing the value null since redirect chains (like the ones typically used for OAuth) can cause that Origin value in a request from a browser.

    0 讨论(0)
  • 2021-02-15 02:27

    I haven't actually tested this using client certificates, but I seem to recall that Firefox will not send credentials if Access-Control-Allow-Origin is set to the * wildcard instead of an actual domain. See this page on MDN.

    Also there's an issue with Firefox sending a CORS request to a server that expects the client certificate to be presented in the TLS handshake. Basically, Firefox will not send the certificate during the preflight, creating a chicken and the egg problem. See this bug on bugzilla.

    0 讨论(0)
提交回复
热议问题